PayPal, WTF?
Limiting password length for what?
PayPal offers perhaps not exactly Shinterface but deserves a mention due to their password change interface only allowing passwords of 8-20 characters – to secure access to a payment method that is accessible across the ENTIRE INTERNET.
For those who don’t yet understand it, password storage should be extremely predictable in terms of size and storage cost. Oh, and long passwords or passphrases are important!
How Are Passwords Stored Securely? 🔐
When you create a password for an online account, the system needs to keep it safe in case someone tries to steal it. The secret? Passwords are never stored in plain text. Instead, they go through a process called hashing and salting.
What is Hashing? 🧩
Hashing is like turning your password into a unique fingerprint—a fixed-length string of characters that looks nothing like your original password but always represents it uniquely.
For example, the password "MyP@ssword123" might turn into:
5f4dcc3b5aa765d61d8327deb882cf99using a hash function like SHA-256 or bcrypt.
Important:
- Hashes are one-way: you can’t get the password back from the hash.
- The output hash length is fixed, regardless of password length.
For instance, SHA-256 always outputs 256 bits (32 bytes), no matter if your password is 6 or 50 characters.
What is Salting? 🧂
To make things even more secure, a unique salt — a random string — is added to each password before hashing.
For example, if your password is "MyP@ssword123" and the salt is "x9f8z3q", the system combines them like:
MyP@ssword123x9f8z3qand then hashes this combined string.
Why?
- It stops hackers from using precomputed lists of common password hashes (called rainbow tables).
- Even if two users have the same password, their salted hashes will look completely different.
The salt itself is stored alongside the hash in the database.
How Long Is The Hash? 📏
- The length of the hash depends on the hashing algorithm, not on password length.
- Common hash lengths:
- SHA-256: 256 bits → 32 bytes → represented as 64 hexadecimal characters (
0-9,a-f). - bcrypt: always outputs a 60-character hash string (including metadata).
- Argon2: variable length, often around 32-64 bytes.
- SHA-256: 256 bits → 32 bytes → represented as 64 hexadecimal characters (
Putting It All Together — Storage Example 💾
| Password Length | Salt Length | Hashed Output Length (SHA-256) | Hashed Output Length (bcrypt) |
|---|---|---|---|
| 8 chars | 16 bytes | 64 hex chars | 60 chars |
| 32 chars | 16 bytes | 64 hex chars | 60 chars |
| 128 chars | 16 bytes | 64 hex chars | 60 chars |
The hash output size stays constant, regardless of how long your password is.
